Multi-factor authentication
UserLock MFA can be enabled for any user, group or OU in your Domain for all logon, unlock and reconnections to interactive sessions.. Choose granular settings to define your MFA policy by the type of session (workstation, server, IIS, VPN or SaaS) the connection type (Local or Remote), and the frequency with which MFA is asked (at every connection, every N days.) There is also an option to help with the onboarding process to allow users to skip the MFA configuration for a defined number of days.
MFA messages displayed to the end user are customizable and you can enable an "Ask for help" button on the displayed dialogs to allow the end user to send e-mail (and consequently, applications compatible with e-mail such as Slack) and / or popup help requests to UserLock administrators responsible for implementing MFA.
In case an end user can’t log on, one-click admin actions are available in the UserLock console to temporarily disable MFA or to reset MFA key for a specific user.
In addition, ad-hoc reports allow you to see the evolution over time of the use of MFA in your environment: logon for which MFA was used, suspicious logons for which MFA has been canceled, and reasons users skip the configuration.
An MFA dashboard has been added in the UserLock Console to as a central place for all of these new features.
The MFA dashboard in the UserLock Console allows you to track MFA activity across your network.
UserLock supports the following MFA methods:
- Push notifications with UserLock Push app
- TOTP through authenticator applications and programmable tokens.
- HOTP with security tokens from Yubico.
Here is a full list of tokens compatible with UserLock:
For a complete guide on implementing MFA, go here.
Prerequisites
- Windows 7 and higher or Windows Server 2012 and higher
- Users must have a device to authenticate and configure MFA - either a smartphone with an authenticator application or a USB token.
- Automatic time settings on the UserLock server and end-user smartphones. If the time is set manually, passcodes generated by the UserLock server and end-user smartphones can be out of sync and result in login errors.
For a full list of UserLock prerequisites, go here.